Understanding California's New Disclosure Law

California Gov. Jerry Brown set a precedent for privacy rights last week when he signed into law Assembly Bill 370. Under the bill, which amended a section of the California Business and Professions Code, websites that collect personally identifiable information (PII) about California residents must provide a privacy policy that identifies the type of PIIs “the operator collects about individual consumers who use or visit its website or online service and third parties with whom the operator shares the information.”

The bill also requires website owners to disclose how they respond to “do-not-track” signals or “other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different websites or online services.”

Privacy advocates and politicians have been pressuring advertisers and businesses to be more transparent about the ways that they collect and track people's online activities. Among the ideas driving AB 370 was that consumers should have more information about who is following them online and the data that is being stored about them.

The bill was introduced by California Assemblyman Al Muratsuchi, a Los Angeles-area Democrat, who released the following statement: “AB 370 will protect Californians’ right to privacy by providing transparency that will allow consumers to know when their online activity is being tracked. The consumer can then make an informed decision about their use of a particular website or service.”

Companies that do not comply with the law will have 30 days to make adjustments and those found to be deliberately negligent will be fined $2,500 per violation, according to Brett Williams, Muratsuchi's legislative director. “This isn’t meant to be a witch hunt, and the attorney general’s office will be developing best practices over the coming months so companies can make sure they’re compliant,” Williams said.

It will be difficult to enforce the law, which goes into effect on Jan. 1, said Michael Anderson, CTO and co-founder of tag-management company Tealium. Requiring data-collection vendors to explain how they respond to do-not-track signals is based on the assumption that "they actually do anything with the DNT header, which, to my knowledge, not a lot of data-collection vendors do support this," Anderson said.

The lack of a universal definition for a “do-not-track” signal is another large hole, noted Alison Pepper, senior director of public policy at the Interactive Advertising Bureau. “We still don’t have a clear definition of what do-not-track means and the [law’s] text is so ambiguous that compliance can be read in a variety of ways,” Pepper said.

In addition, requiring companies to determine which users are accessing their site from California will create “a location issue” that is particularly problematic from a mobile perspective, said Peter Cranston, CEO of 3PMobile, a software provider that helps companies extend its Web services to mobile users while balancing “the need for user data privacy and control.”

Under AB 370, “every ad server will have to determine where users are coming from which will create problems for the companies and in the end the consumer will still be inundated with ads,” Cranston said.

Several state and federal online privacy bills have been proposed in recent years, such as US Sen. Jay Rockefeller’s Do-Not-Track Online Act of 2013, which remains bogged down in a congressional committee. Despite its shortcomings, it is important to think of AB 370 as a “first step” towards greater privacy rights for consumers, Cranston added.

“When someone passes a law, that’s a defining part of history and what California did is just the beginning,” he said. “A lot needs to be improved upon, but at least this is a start.”